[SRU][N][PATCH 0/1] CVE-2026-46242

Cengiz Can cengiz.can at canonical.com
Fri Jul 10 08:56:03 UTC 2026


https://ubuntu.com/security/CVE-2026-46242

[ Impact ]

A use-after-free vulnerability exists in the eventpoll subsystem. In
ep_remove(), the code cleared file->f_ep under file->f_lock but continued using
the file inside the critical section. A concurrent __fput() could observe the
transient NULL, skip eventpoll_release_file(), and run to f_op->release,
freeing the watched struct eventpoll while it was still in use. Since struct
file is SLAB_TYPESAFE_BY_RCU, the slot could also be recycled, leading to an
attacker-controllable kmem_cache_free() against the wrong slab cache.

[ Fix ]

noble: backported with AI-assisted adaptation

[ Test Plan ]

Boot tested.

[ Where Problems Could Occur ]

An incorrect fix in the eventpoll subsystem could break epoll file descriptor
lifetime management, causing regressions in reference counting that lead to
leaks, crashes, or hangs for applications relying on epoll.



More information about the kernel-team mailing list